How much power should governments have over the domain name industry? Should the industry be held responsible for the actions of its customers? Are domain names the way to stop crime?
These are some of the questions likely to be addressed during ICANN’s latest public comment period, which could prove to be one of the most important consultations it’s ever launched.
ICANN wants comments on governmental advice issued during the Beijing meeting two weeks ago, which sought to impose a broad regulatory environment on new gTLD registries.
According to this morning’s announcement:
[ICANN’s Board New gTLD Committee] has directed staff to solicit comment on how it should address one element of the advice: safeguards applicable to broad categories of New gTLD strings. Accordingly, ICANN seeks public input on how the Board New gTLD Committee should address section IV.1.b and Annex I of the GAC Beijing Communiqué.
Annex 1 of the Beijing communique is the bit in which the GAC told ICANN to impose sweeping new rules on new gTLD registries. It’s only a few pages long, but that’s because it contains a shocking lack of detail.
For all new gTLDs, the GAC wants ICANN to:
- Apply a set of abuse “safeguards” to all new gTLDs, including mandatory annual Whois accuracy audits. Domain names found to use false Whois would be suspended by the registry.
- Force all registrants in new gTLDs to provide an abuse point of contact to the registry.
- Make registries responsible for adjudicating complaints about copyright infringement and counterfeiting, suspending domains if they decide (how, it’s not clear) that laws are being broken.
For the 385 gTLD applications deemed to represent “regulated or professional sectors”, the GAC wants ICANN to:
- Reject the application unless the applicant partners with an appropriate industry trade association. New gTLDs such as .game, .broadway and .town could only be approved if they had backing from “relevant regulatory, or industry self-regulatory, bodies” for gaming, theater and towns, for example.
- Make the registries responsible for policing registrants’ compliance with financial and healthcare data security laws.
- Force registries to include references to organic farming legislation in their terms of service.
For gTLD strings related to “financial, gambling, professional services, environmental, health and fitness, corporate identifiers, and charity” the GAC wants even more restrictions.
Essentially, it’s told ICANN that a subset of the strings in those categories (it didn’t say which ones) should only be operated as restricted gTLDs, a little like .museum or .post are today.
It probably wouldn’t be possible for a poker hobbyist to register a .poker domain in order to blog about his victories and defeats, for example, unless they had a license from an appropriate gambling regulator.
Attempting to impose last-minute rules on applicants appears to reverse one of the GAC’s longstanding GAC Principles Regarding New gTLDs, dating back to 2007, which states:
All applicants for a new gTLD registry should therefore be evaluated against transparent and predictable criteria, fully available to the applicants prior to the initiation of the process. Normally, therefore, no subsequent addition selection criteria should be used in the selection process.
The Beijing communique also asks ICANN to reconsider allowing singular and plural versions of the same string to coexist, and says “closed generic” or “exclusive access” single-registrant gTLDs must serve a public interest purpose or be rejected.
There’s a lot of stuff to think about in the communique.
But ICANN’s post-Beijing problem isn’t whether it should accept the GAC’s advice, it’s to first figure out what the hell the GAC is actually asking for.
Take this bit, for example:
Registry operators will require that registrants who collect and maintain sensitive health and financial data implement reasonable and appropriate security measures commensurate with the offering of those services, as defined by applicable law and recognized industry standards.
This one paragraph alone raises a whole bunch of extremely difficult questions.
How would registry operators identify which registrants are handling sensitive data? If .book has a million domains, how would the registry know which are used to sell books and which are just reviewing them?
How would the registries “require” adherence to data security laws? Is it just a case of paying lip service in the terms of service, or do they have to be more proactive?
What’s a “reasonable and appropriate security measure”? Should a .doctor site that provides access to healthcare information have the same security as one that merely allows appointments to be booked? What about a .diet site that knows how fat all of its users are? How would a registry differentiate between these use cases?
Which industry standards are applicable here? Which data security laws? From which country? What happens if the laws of different nations conflict with each other?
If a registry receives a complaint about non-compliance, how on earth does the registry figure out if the complaint is valid? Do they have to audit the registrant’s security practices?
What should happen if a registrant does not comply with these laws or industry standards? Does its domain get taken away? One would assume so, but the GAC, for some reason, doesn’t say.
The ICANN community could spend five years discussing these questions, trying to build a framework for registries to police security compliance, and not come to any consensus.
The easier answer is of course: it’s none of ICANN’s business.
Is it ICANN’s job to govern how web sites securely store and transmit healthcare data? I sure hope not.
And those are just the questions raised by one paragraph.
The Beijing communique as a whole is a perplexing, frustrating mess of ideas that seems to have been hastily cobbled together from a governmental wish-list of fixes for perceived problems with the internet.
It lacks detail, which suggests it lacks thought, and it’s going to take a long time for the community to discuss, even as many affected new gTLD applicants thought they were entering the home stretch.
Underlying everything, however, is the question of how much weight the GAC’s advice — which is almost always less informed than advice from any other stakeholder group — should carry.
ICANN CEO Fadi Chehade and chair Steve Crocker have made many references recently to the “multi-stakeholder model” actually being the “multi-equal-stakeholder model”.
This new comment period is the first opportunity the other stakeholders get to put this to the test.